blob: 749d4e6d9a5823e54da74134c74e88f6795731f8 (
plain) (
tree)
|
|
<h2 id="shorewall">2.3. Shorewall</h2>
<p><a href="http://shorewall.net">Shorewall</a> is a gateway/firewall
configuration tool. "You describe your firewall/gateway requirements
using entries in a set of configuration files. Shorewall reads those
configuration files and with the help of the iptables, iptables-restore,
ip and tc utilities, Shorewall configures Netfilter and the Linux
networking subsystem to match your requirements.".</p>
<p>This is a resume from
<a href="http://shorewall.net/two-interface.htm">Basic Two-Interface Firewall</a>.
</p>
<h3 id="shorewall-install">2.3.1. Install Shorewall</h3>
<p>Shorewall port is part of <a href="https://crux.nu/portdb/index.php?a=repo&q=kris">Kris Collection</a>
and <a href="../install/ports.html#sysdoccollection">sysdoc collection</a>.</p>
<pre>
$ prt-get depinst shorewall
</pre>
<p>Get the samples from distribution file;</p>
<pre>
$ mkdir sample && cd sample
$ tar xf ../shorewall-5.0.8.2.tar.bz2
$ cd /srv/ports/work/shorewall-5.0.8.2
$ ls
README.txt policy shorewall.conf.annotated
interfaces policy.annotated stoppedrules
interfaces.annotated rules stoppedrules.annotated
masq rules.annotated zones
masq.annotated shorewall.conf zones.annotated
</pre>
<p>Copy files to /etc/shorewall</p>
<pre>
$ sudo cp Samples/two-interfaces/* /etc/shorewall/
</pre>
<p>Distribution extracted files are not needed anymore;</p>
<pre>
$ cd ../../ && rm -fR sample
</pre>
<h3 id="shorewall-configure">2.3.2. Configure Shorewall</h3>
<p>Tip how to get help about files in /etc/shorewall, for example
to get help about file zones call man shorewall-zones. There are
Some files have names ending in '.annotated'. You might
choose to look at those files instead.</p>
<p>Rules about traffic to allow and what traffic to deny are expressed in
terms of zones;</p>
<ul>
<li>Define default policy for connections from one zone to
another zone in /etc/shorewall/policy.</li>
<li>Define exceptions to those default policies in
/etc/shorewall/rules.</li>
</ul>
<p>Edit <a href="../conf/etc/shorewall/shorewall.conf">/etc/shorewall/shorewall.conf</a></p>
<pre>
###############################################################################
# S T A R T U P E N A B L E D
###############################################################################
STARTUP_ENABLED=Yes
</pre>
<h4 id="shorewall-interfaces">2.3.5. Configure Interfaces</h4>
<p>Show defoult route, last should be your external interface;</p>
<pre>
# ip route ls
</pre>
<p>This example assumes enp8s0 is connected to router and
wlp7s0 is wireless access point.</p>
<p>Edit <a href="../conf/etc/shorewall/interfaces">/etc/shorewall/interfaces</a></p>
<pre>
###############################################################################
#ZONE INTERFACE OPTIONS
net enp8s0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc wlp7s0 tcpflags,nosmurfs,routefilter,logmartians
</pre>
<p>Edit <a href="../conf/etc/shorewall/stoppedrules">/etc/shorewall/stoppedrules</a></p>
<pre>
###############################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
ACCEPT enp3s0 -
ACCEPT - enp3s0
</pre>
<h4 id="shorewall-zones">2.3.3. Configure Zones</h4>
<p>Shorewall recognizes the firewall system as its own zone, as can be
seen on zones defined by two-interfaces example;</p>
<p>Edit <a href="../conf/etc/shorewall/zones">/etc/shorewall/zones</a></p>
<pre>
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
</pre>
<h4 id="shorewall-policy">2.3.4. Configure Policy</h4>
<p>Change default /etc/shorewall/policy this example will limit
witch connections are allow to and from firewall, default policy
will be drop;</p>
<p>Edit <a href="../conf/etc/shorewall/policy">/etc/shorewall/policy</a></p>
<pre>
##############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT info
net all DROP warning
$FW net DROP warning
loc $FW DROP warning
$FW loc DROP warning
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT warning
</pre>
<h4 id="shorewall-snat">2.3.6. SNAT/Masquerading</h4>
<p>In Shorewall, both Masquerading and SNAT are configured with
entries in the /etc/shorewall/masq file. You will normally use
Masquerading if your external IP is dynamic and SNAT if the IP
is static.</p>
<p>Since <a href="../conf/etc/rc.d/net">/etc/rc.d/net</a>
configured enp8s0 static, change /etc/shorewall/masq so
that uses SNAT;</p>
<p>Edit <a href="../conf/etc/shorewall/masq">/etc/shorewall/masq</a></p>
<pre>
#######################################################################################
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
#
wlp7s0 10.0.0.0/24 192.168.1.254
</pre>
<h4 id="shorewall-dnat">2.3.7. DNAT</h4>
<p>Destination Network Address Translation are defined in
/etc/shorewall/rules;</p>
<h4 id="shorewall-rules">2.3.8. Rules</h4>
<p>Example <a href="../conf/etc/shorewall/rules">/etc/shorewall/rules</a> file.</p>
<h4 id="shorewall-log">2.3.9. Logging</h4>
<pre>
$ sudo mkdir /var/log/shorewall
</pre>
<p>Example of syslog-ng configuration for shorewall;</p>
<pre>
destination d_shorewall_warn { file ("/var/log/shorewall/warn.log"); };
destination d_shorewall_info { file ("/var/log/shorewall/info.log"); };
filter f_shorewall_warn {
level (warn)
and match ("Shorewall" value("MESSAGE"));
};
filter f_shorewall_info {
level (info)
and match ("Shorewall" value("MESSAGE"));
};
log { source (s_kernel); filter (f_shorewall_warn); destination (d_shorewall_warn); flags(final);};
log { source (s_kernel); filter (f_shorewall_info); destination (d_shorewall_info); flags(final);};
</pre>
|